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Abstract. We discuss the relationship between quaternion algebras and qua- 
dratic forms with a focus on computational aspects. Our basic motivating 
problem is to determine if a given algebra of rank 4 over a commutative ring 
R embeds in the 2 X 2-matrix ring M2(-R) and, if so, to compute such an 
embedding. We discuss many variants of this problem, including algorithmic 
recognition of quaternion algebras among algebras of rank 4, computation of 
the Hilbert symbol, and computation of maximal orders. 



Since the discovery of the division ring of quaternions over the real numbers by 
Hamilton, and continuing with work of Albert and many others, a deep link has 
been forged between quadratic forms in three and four variables over a field F and 
quaternion algebras over F. Starting with a quaternion algebra over F, a central 
simple F-algebra of dimension 4, one obtains a quadratic form via the reduced 
norm (restricted to the trace zero subspace); the split quaternion algebra over F, 
the 2 X 2-matrix ring M2 (F) , corresponds to an isotropic quadratic form. Conversely, 
one recovers the quaternion algebra via the Clifford algebra of the quadratic form. 
In this article, we give an exposition of this link relating quaternion algebras and 
quadratic forms from an explicit, algorithmic perspective. 

Let i? be a noetherian, commutative domain. We say that R is computable if 
there exists an encoding of R into bits with algorithms to perform ring operations 
in R and to test if an element of R is zero. 

The following basic algorithmic problem, along with its many variants, forms the 
core of this article. (See §1 for further definitions and algorithmic specifications.) 

Problem (IsMatrixRing). Given a computable domain R and an R-algebra O of 
rank 4, determine if O embeds in M2(i?) and, if so, compute an explicit embedding 
O ^ M2{R) of R-algebras. 

The problem (IsMatrixRing) captures in an important way the link between qua- 
dratic forms and quaternion algebras. In the simplest case where i? = is a 
field — when such an embedding is necessarily an isomorphism — this problem cor- 
responds to asking if a ternary quadratic form over F represents zero nontrivially, 
and for this reason it arises in a wide variety of situations. In the case where R is 
a local ring, this problem corresponds to the computation of an (explicit) integral 
splitting of a quaternion order and thereby appears as a foundational step in many 
algorithms in arithmetic geometry (see e.g. work of Kirschmer and the author .18: ). 
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In these and other ways, therefore, (IsMatrixRing) wiU serve as kmd of unifymg and 
motivating question. 

In §1, we introduce the basic terminology we will use throughout concerning 
computable rings and quaternion algebras. In §2, we consider algebras equipped 
with a standard involution and we exhibit an algorithm to test if an _F-algebra B 
has a standard involution. In §3, we relate algebras with a standard involution to 
quadratic forms via the reduced norm; we introduce the theory of quadratic forms 
over local PIDs, providing an algorithm to compute a normalization of such a form. 
As a consequence, we exhibit an algorithm to test if an i^-algebra _B is a quaternion 
algebra and, if so, to compute standard generators for B. With these reductions, 
we turn in §4 to Problem (IsMatrixRing) for quaternion algebras and prove that this 
problem is deterministic polynomial-time equivalent to the problem of determining 
if a conic defined over F has an i^-rational point (and, if so, to exhibit one). 

In §5, we consider Problem (IsMatrixRing) in the case where F is a local field, 
which corresponds to the computation of the Hilbert symbol; in §6 we treat the more 
delicate case of a local dyadic field, and putting these together prove that there is a 
deterministic polynomial-time algorithm to compute the Hilbert symbol (Theorem 
16. We thereby exhibit an algorithm to compute the generalized Jacobi symbol for 
computable Euclidean domains. In §7, we turn to the case of a Dedekind domain 
R and relate Problem (IsMatrixRing) to the problem of computing a maximal R- 
order; we prove that the problem of computing a maximal order for a quaternion 
algebra B over a number field F is probabilistic polynomial-time equivalent to the 
problem of factoring integers. Finally, in §8, we consider the problem (IsMatrixRing) 
over Q, and show that recognizing the matrix ring is deterministic polynomial-time 
equivalent to the problem of quadratic residuosity. 

Many of the results in this paper fit into the more general setting of semisimple 
algebras; however, we believe that the special link to quadratic forms, along with 
the wide application of quaternion algebras (analogous to that of quadratic field 
extensions), justifies the specialized treatment they are afforded here. 

The author would like to thank his Ph.D. advisor Hendrik Lenstra for his many 
helpful comments, the Magma group at the University of Sydney for their support 
while writing this paper, and David Kohel for his valuable input. We are indebted to 
Carl Pomerance for the citation [2]. Some of the results herein occur in the author's 
Ph.D. thesis [37]. Writing this paper was partially supported by the National 
Security Agency under Grant Number H98230-09-1-0037. 

1. Rings and algebras 

We begin by introducing some notation and background that will be used through- 
out. Let i? be a commutative, noetherian domain (with 1), and let F be the field 
of fractions of R. 

Let O be an R-algehra, an associative ring with 1 equipped with an embedding 
i? C of rings (taking 1 S i? to 1 S O) whose image lies in the center of O; we 
identify R with its image under this embedding. We will assume without further 
mention that O is a finitely generated, projective (equivalently, locally free) R- 
module of rank n. 

Computable rings and algebras. We will follow the conventions of Lenstra [21] 
for rings and algorithms, with the notable exception that we do not require all rings 
to be commutative. 
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A domain R is computable if R comes equipped with a way of encoding elements 
of R in bits (i.e. the elements of R are recursively enumerable, allowing repetitions) 
along with deterministic algorithms to perform ring operations in R (addition, 
subtraction, and multiplication) and to test ii x = £ R; a ring is polynomial- 
time computable if these algorithms run in polynomial time (in the bit size of the 
input). A field is computable if it is a computable ring and furthermore there 
exists an algorithm to divide by a nonzero element. For precise definitions and a 
thorough survey of the subject of computable rings we refer to Stoltenberg-Hansen 
and Tucker [32 and the references contained therein. 

A domain R which is the localization of a ring which is finitely generated over 
its prime ring is computable by the theory of Grobner bases p3]. For example, any 
finitely generated algebra over Z or Q (without zerodivisors, since we restrict to 
domains) is computable, and in particular the coordinate ring of any integral affine 
variety over a finitely generated field is computable. 

If i? is a computable domain, then _F is a computable field if elements are repre- 
sented in bits as pairs of elements of R in the usual way. Inexact fields (e.g. local 
fields, such as Qp or R) are not computable, since they are uncountable! However, 
see the discussion in fj5]for the use of a computable subring which works well in our 
situation. 

A number field F is computable, specified by the data of the minimal polynomial 
of a primitive element (itself described by the sequence of its coefficients, given as 
rational numbers) ; elements of F are described by their standard representation in 
the basis of powers of the primitive element [H §4.2.2]. For a detailed exposition of 
algorithms for computing with a number field F, see Cohen [BJ [7] and Pohst and 
Zassenhaus pS] . 

Remark 1.1. Global function fields, i.e. finite extensions of Fp(T), can be treated in 
a parallel fashion to number fields. Unfortunately, at the present time the literature 
is much less complete in providing a suite of algorithms for computing with integral 
structures in such fields — particularly in the situation where one works in a relative 
extension of such fields — despite the fact that some of these algorithms have already 
been implemented in Magma IT by Hess [Tl]. Therefore, in this article we will often 
consider just the case of number fields and content ourselves to notice that the 
algorithms we provide will generalize with appropriate modifications to the global 
function field setting. 

Throughout this article, when discussing algorithms, we will assume that the 
domain R and its field of fractions F are computable. 

Let i? be a F-algebra with dimj? B — n and basis ei, 62, . . . , e„ (as an _F-vector 
space), and suppose ei = 1. A multiplication table for i? is a system of iv' elements 
icijk)i,j,k=i,...,n of F, called structure constants, such that multiplication in B is 
given by 



for i, j e {1, . . . , n}. 

An i^-algebra B is represented in bits by a multiplication table and elements of 
F are represented in the basis e^. Note that basis elements in B can be multiplied 
directly by the multiplication table but multiplication of arbitrary elements in B 
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requires 0{n'^) arithmetic operations (additions and multiphcations) in F; in either 
case, note the output is of polynomial size in the input. 

Remark 1.2. We have assumed that B is associative as an .F-algebra; however, 
this property can be verified by simply checking the associative law on a set of 
generators. 

Remark 1.3. We require that the element 1 be included as a generator of B, since 
by our definition an _F-algebra is equipped with an embedding F ^ B. This is not 
a serious restriction, for the equations which uniquely define the element 1 in _B are 
linear equations and so 1 G B can be (uniquely) recovered by linear algebra over 
F. 

An i?-algebra O is represented in bits by the i^-algebra B = 0®rF and a set of 
i?- module generators xi, . . . , Xm € B with xi = 1. A morphism between i?-algebras 
is represented by the underlying i?-linear map, specified by a matrix in the given 
sets of generators for the source and target. 

Quaternion algebras. We refer to Vigneras [36 and Reiner [55] for background 
relevant to this section. 

An _F-algebra B is central if the center of B is equal to -F, and B is simple if 
the only two-sided ideals of B are (0) and B (or equivalently that any i^-algebra 
homomorphism with domain B is either the zero map or injective) . 

Remark 1.4. One can compute the center of B by solving the n linear equations 
xci — CiX for X = XiBi + • • • + XnBn and thereby, for example, verify that B is 
central. 

Definition 1.5. A quaternion algebra B over is a central simple F-algebra with 
dimF B = 4. 

An _F- algebra B is a, quaternion algebra if and only if there exist i,j S B which 
generate B as an F-algebra such that 

(1.6) = a, f = b, ji = -ij 
with a,be F-"- if charF ^ 2, and 

(1.7) i^+t^a, f^b, J^ = (^ + l)j 

with a E F and b E F^ ii charF — 2. We given an algorithmic proof of this 

equivalence in §3. We accordingly denote an algebra (|1.6p - (|1.7p by i? = (^~^ 

and say that B is in standard form and call the elements i,j standard generators. 
Note that B has basis 1, i,j, ij as an F-vector space, so indeed dim^? i? = 4. 

Example 1.8. The ring M2(F) of 2 x 2- matrices with coefficients in F is a quaternion 

algebra over F. Indeed, we have ^-^^ — A'hiF) with j ^ and 

'^[o -l) '^[l 1 

according as charF ^ 2 or charF = 2. 

Every quaternion algebra over a separably (or algebraically) closed field F is 
isomorphic to M2(F). 
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Example 1.9. The R-algcbra H, generated by i,j satisfying P = ~ (ij)^ = —1 is 
the usual division ring of quaternions over R. Every quaternion algebra over M is 
isomorphic to either M2(K) or H, according to the theorem of Frobenius. 

Let B be an F-algebra. An R-order in _B is a subring O C B which is finitely 
generated as an i?-module and such that OF = B. We see that an _R-algebra O is 
an _R-order in i? = O^rF, and we will use this equivalence throughout, sometimes 
thinking of O as an i?-algebra on its own terms and at other times thinking of O 
as arising as an order inside an algebra over a field. 

A quaternion order over R is an i?-order in a quaternion algebra B over F. 
Equivalently, an i?-algebra O is a quaternion order if _B = O (8)^; is a quaternion 
algebra over F. 

Example 1.10. M2{R) is a quaternion order in M2{F). 

li a,b E R then O = R® Ri® Rj ® Rij is a quaternion order in _B = 

Further examples of quaternion orders will be defined in the next section (see 
Lemma 12. 9p . 

Modules over Dedekind domains. Let i? be a Dedekind domain, an integrally 
closed domain in which every prime ideal is maximal. Every field is a Dedekind 
domain (vacuously), as is the integral closure of Z or ¥p[T] in a finite (separable) 
extension of Q or Fp(T), respectively. The localization of a Dedekind domain at a 
multiplicative subset is again a Dedekind domain. If R is the ring of integers of a 
number field, then we call R a number ring. 

Over a Dedekind domain R, every projective i?-module M can be represented as 
the direct sum of projective i?-modules of rank 1, which is to say that there exist 
projective (equivalently, locally principal) i?-modules Oi, . . . , a„ C -F and elements 
xi, . . . , Xn (z O with Ui = R and xi = I such that 

M = aixi ® • • • ® o„a;„; 

we say then that the elements Xi are a pseudobasis for M with coefficient ideals Ui. 
More generally, if M = aixi + • • • + amXm (the sum not necessarily direct), then we 
say the elements Xi are a pseudogenerating set for M (with coefficient ideals Ui). 
In fact, the above characterization can be made computable as follows. 

Proposition 1.11. Let R be a number ring. Then there exists an algorithm which, 
given a projective R-module M specified by a pseudogenerating set, returns a pseu- 
dobasis for M . 

The algorithm in Proposition ! 1 . 1 11 is a generalization of the Hermite normal form 
(HMF) for matrices over Z; see Cohen [TJ Chapter 1]. Therefore, from now on we 
represent a quaternion order O over a number ring i? by a pseudobasis. 

2. Standard involutions and degree 

Quaternion algebras, or more generally algebras which have a standard involu- 
tion, possess a quadratic form called the reduced norm. In this section, we discuss 
this association and we give an algorithm which verifies that an algebra has a stan- 
dard involution. As a reference, see Jacobson 17, §1.6], Knus [19], and work of the 
author [38l . 
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In this section, let R be an integrally closed (noetherian) domain with field of 
fractions F. Let O be an i?-algebra and let -B = O ®r F. 

Degree. We first generalize the notion of degree from field extensions to -R-algebras. 

Definition 2.1. The degree of x G O over R, denoted deg^(a;), is the smallest pos- 
itive integer n such that x satisfies a monic polynomial of degree n with coefficients 
in R. The degree of O over R, denoted deg^(C'), is the smallest positive integer n 
such that every element of O has degree at most n. 

Every x G O satisfies the characteristic polynomial of (left) multiplication by 
a; on a set of generators for O as an i?-modulc, and consequently degjj(O) < oo 
(under our continuing hypothesis that O is projective of finite rank). 

Lemma 2.2. We have deg^(C') = degp{B). 

Proof. Since O is finitely generated as an i?-module and R is noetherian, the -R- 

submodulc R[x] C O is finitely generated, so x is integral over R. Since R is 
integrally closed, the minimal polynomial oi x G O over F has coefficients in R 
by Gauss' lemma, so deg^(a;) = degp{x) and thus degjj(O) < degp{B). On the 

other hand, ii y E B then there exists d E R such that x = yd G O so 
degp{x) = dcg^(?y) = dcg^(y) so dcgp{B) < dcg^(e'). □ 

From the lemma, we need only consider the degree of an algebra over a field. 

Example 2.3. B has degree 1 if and only if i? = i^. 

If is a separable field extension of F with dimp K = n, then K has degree n 
as a -F-algebra (in the above sense) by the primitive clement theorem. 

If dimp B = n, then B has degree at most n but even if B is commutative one 
may still have degp{B) < dimp B: for example, B = F[x,y, z]/{x,y, z)"^ has rank 
4 over the field F but has degree 2. 

We will see in a moment that quaternion orders and quaternion algebras are 

algebras of degree 2. 

Standard involutions. In fact, quaternion orders and quaternion algebras possess 
a standard involution. 

Definition 2.4. An anti-automorphism of O is an ii-linear map ~ : O O with 

1 = 1 and xy = yx for all x G O. An involution is an anti-automorphism such that 
X = X for all a; € O. An involution is standard if xx G R for all x G C 

Note that if xx G R for all x G O, then {x + l){x + I) = xx + {x + x) + 1 G R 
and hence x + x G R foT all x G O as well. Note that xx = xx for all x G O since 
x{x + x) = {x + x)x (and R is central in O). 

Suppose now that O has a standard involution ~. Then we define the reduced 
trace and reduced norm, respectively, to be the maps 

tvd:O^R md:O^R 

x x + x X ^ XX = xx 

We have 

(2.5) x^ — trd(a;)a; + nrd(a;) ^ x"^ — {x + x)x + xx ~ 

for all a; e C It follows that if O has a standard involution then either O = R {so 
the standard involution is the identity and O = R has degree 1) or O has degree 2. 



IDENTIFYING THE MATRIX RING 



7 



Lemma 2.6. O has a standard involution if and only if B = 0®rF has a standard 
involution. 

Proof. If O has a standard involution, we obtain one on B by extending _F-linearly. 
Conversely, suppose B has a standard involution and let a; e O. Then as in the proof 
of Lemma l2.21 x is integral over R so its minimal polynomial over F has coefficients 
in R. If a; € R, then x = x and there is nothing to prove. If a; ^ i?, this minimal 
polynomial must be (I2.5p . so trd(x) ~ x + x ^ R and thus x = trd(a;) — a; G O has 
XX — nrd(x) S i? as well. □ 

An i?-algebra S is quadratic if S has rank 2 as an i?-module. 

Lemma 2.7. Let S be a quadratic R-algebra. Then S is commutative and has a 
unique standard involution. 

Proof. By Lemma [2.61 it suffices to prove the lemma for K = S ®ii F. But then 
for any x E K \ F wc have K — F Q) Fx so K is commutative. Moreover, we have 
x'^ — tx + n = for some unique t,n £ F and so the unique standard involution is 
given by a; I— 7- t — .T (extending by i^-linearity) . □ 

(See also Scharlau [31] §8.11] for a proof of this lemma.) 

Corollary 2.8. If O has a standard involution, then this involution is unique. 

This corollary follows immediately from Lemma 12.71 by restricting to quadratic 
subalgebras K oi B. 

Quaternion orders. Having identified the standard involution on a quadratic 
algebra, we now generalize the construction of quaternion algebras p.6l) - (|1.7l) to 
quaternion orders. Let 5 be a quadratic i?-algebra, and suppose S is separable^ so 
the minimal polynomial of every x £ S has distinct roots over the algebraic closure 
F of F. Let J C 5 be an invertible ideal (equivalently, a locally principal S'-module) 



and let G i? \ {0}. We denote by I ' ' j the i?-algebra S ® Jj subject to the 



relations p = b and ji = ij for all i & S, where denotes the unique standard 
involution on S from Lemma l2.7l We say that such an algebra is in standard form. 



Proof We consider B = O ®rF. het K = S ®r F a.n<l lei i € K \ F . Since K 
is separable, if char 7^ 2 by completing the square we may assume i^ — a with 
a G F^; if char_F = 2, we may assume i'^ + i = a with a £ F. Now since J is 
projective we have J (8)_r F = K as a iC-module so B = K (B Kj as a F-algebra. 
Finally, since ji = ij = (trd(i) — i)j and trd(i) =0,1 according as char 7^ 2 or 

not, we have identified B as isomorphic to the quaternion algebra ■ ^ 

Algorithmically identifying a standard involution. We conclude this section 
with an algorithm to test if an i^-algebra B has a standard involution. 

First, we note that if B has a standard involution ~ : B ^ B, then this involution 
and hence also the reduced trace and norm can be computed efficiently. Indeed, 
let {ei}i be a basis for B; then trd(ei) G -F is simply the coefficient of a in ef, 
and so e7 = trd(ei) — for each i can be precomputed for B] one recovers the 




Lemma 2.9. The R-algebra O 




is a quaternion order. 
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involution on B (and hence also the trace) for an arbitrary element of B by F- 
linearity. Therefore the involution and the reduced trace can be computed using 
0{n) arithmetic operations in F (with output linear in the input) and the reduced 
norm using 0{n^) operations in F (with output quadratic in the input). 

Algorithm 2.10. Let B be an i^-algebra given by a multiplication table in the 
basis ei, . . . ,e„ with ei — I. This algorithm returns true if and only if B has a 
standard involution. 

1. For i = 2, . . . ,n,\et ti ^ F he the coefficient of in e|, and let Ui — ej—tiei. 
If some Hi ^ F, return false. 

2. For i = 2, . . . ,n and j = i + 1, . . . ,n, let riij — (e^ + e^)^ — {ti + tj){ei + ej). 
If some riij ^ F, return false. Otherwise, return true. 

Proof of correctness. Let F[x] = F[xi, . . . , x„] be the polynomial ring over in n 
variables, and let Bp^^j = B Let ^ = a;i + ^262 + • • • + a:„e„ G Bp^^-^, and 

define 

n 

and 

n 

= ^ Uix'^ + ^ {uij -Ui- nj)xiXj. 

i—l l<i<j<n 

Let 

n 

- t^£, + ?^s = ^Ci{xi, . . .,Xn)ei 

i=l 

with Ci{x) € F[x]. Each Ci{x) is a homogeneous polynomial of degree 2. The 
algorithm then verifies that Ci{x) = for x S {e^ji U {e^ + ejjj.jj a-nd this implies 
that each Ci{x) vanishes identically. Therefore, the specialization of the map ^ i— > 
^ = — ^ is the unique standard involution on _B. □ 

Remark 2.11. Algorithm [2?T0l requires 0(n) arithmetic operations in F, since ef 
and can be computed directly from the multiplication table and hence (e^ + e^)^ = 
ef + CiCj + CjCi + e'j can be computed using 0(4n) — 0(n) operations. 

Remark 2.12. Using the notation of the proof of correctness for Algorithm 12. 10[ it 
is clear that deg(i?) — deg(^), i.e., deg(-B) is equal to the degree of the minimal 
polynomial of ^, which can be computed as the rank of the matrix over F[x] whose 
columns are 1, ^, . . . , ^" using linear algebra over the field F{xi, . . . , a;„). 

3. Algebras with a standard involution and quadratic forms 

In this section, we describe a relationship between the category of i?-algebras 
with a standard involution and the category of quadratic forms over R. The main 
result of this section is an algorithm which verifies that an i?-algebra O over a 
local PID is a quaternion order and, if so, exhibits standard generators for O. 
Specializing, we recognize quaternion algebras over a field F. We then extend this 
to recognizing quaternion orders over a number ring R. Over fields, a reference for 
this section is Lam |20] . and for more about algebras equipped with a quadratic 
norm form, we refer the reader to Knus [19]. 
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Quadratic forms over rings. We begin by defining quadratic forms over a (noe- 
therian) domain R. 

Definition 3.1. A quadratic form over R is map Q : M ^ R, wliere M is a finitely 

generated projective i?-module, such that: 

(i) Q{ax) — a?Q{x) for all a € i? and x e M; and 

(ii) The map T : M x M ^ R defined by 

T{x,y) = Q{x + y)-Q{x)-Qiy) 

is _R-bilinear. 

A symmetric bilinear form T : M x M ^ Ris even if T{x, x) G 2R for all x G M . 
If T arises from a quadratic form, then T is even, and conversely if T is even and 2 
is a nonzerodivisor in R then one recovers the quadratic form as Q{x) ~ T{x, x)/2. 

Let Q : M — )• i? be a quadratic form and suppose that M is free over R with 
basis ei, . . . , e„. The Gram matrix of Q with respect to the basis ei, . . . , e„ is the 
matrix A = {T{ei, ej))ij=i^,,,,n G M„(i?). The matrix A has the property that 
x*Ay = T{x,y), where we identify x = XiCi + ■ ■ ■ + x„en with the column vector 
(a;i, . . . , XnY, and similarly for y. In particular we have x*Ax = 2Q{x). 

Let Q : M R he a quadratic form. We say x,y G M are orthogonal (with 
respect to Q) if T{x,y) = 0. 

Example 3.2. Let O be an E-algebra with a standard involution ~. Then the 
reduced norm nrd : O ^ R (defined hy x xx for x G O) is a, quadratic form on 
O with associated bilinear form 

(3.3) T{x, y) = xy + yx = trd(a;y) = tvd{x)y + tvd{y)x + {xy + yx). 

for x,y G O. In particular T{l,x) = T{x,l) = trd(a;). Note that x,y G O are 
orthogonal if and only if xy = yx. 

Example 3.4. Let Oq = {x G O : trd(.T) = 0} be the _R-submodule of elements of 
reduced trace zero. Then O/Oq is torsion- free, since if rx G Oq then trd(ra;) = 
rtrd(a;) = so trd(x) = so a; e Oq. Thus Oq is a projective J?-submodule of O 
and O D R®Oq. We therefore obtain a quadratic form nrdo = nrd \oo ■ Oq ^ R- 

li Q : M R and Q' : M' R arc quadratic forms, we define the form 
g _L g' on M © M' by requiring that (T _L T'){x + x') = T{x) + T{x') and 
(Q _L Q'){x + x') = Q{x) + Q{x'). (Note that T(x, x) = 2Q{x) for all a; e M so if 
2 G R then the second condition follows from the first.) 

Let g : M — >• be a quadratic form and suppose that M is free (of finite rank). 
In this case, a basis ei, . . . , e„ for M gives an isomorphism M = i?" in which Q 
can be written 

Q{x) = Q{xiei H h XnBn) = ^ Q{ei)Xi + ^ T{ei, ej)xiXj 

i i<j 

with X = {Xi, . . . ,Xn) G R". 

For a G R, the quadratic form Q{x) = ax^ on R is denoted (a); similarly, for 

fli, . . . , a„ G R, we abbreviate (ai) _L • • • _L (a„) = (ai, . . . , a„). For a,b,c G R, the 
quadratic form Q{x, y) = ax^ + bxy + cy^ on is denoted [a, 6, c]. 
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Example 3.5. Let B = j be a quaternion algebra over F. Then in the basis 

1, i, j, ij we have nrd (1, —a, —6, ab) if char F ^ 2 and nrd = [1, 1, a] _L 1, a] if 
charF = 2. 

Similarly, for nrdg : Bq ^ F we have 

(3.6) nrd(xi + yj + ) = —ax^ — bij^ + afoz'^ = (—a, —6, a6) 
if char F ^2 and 

(3.7) nrd(x + yj + zij) = + fcy^ + byz + abz^ = (1) ± 1, a] 
if charF = 2. 

Quadratic forms over DVRs. Now let i? be a local PID. Then either R — F\s 
a field or i? is a discrete valuation ring with valuation ordi, : R — > Z>o U {oo} and 
uniformizer tt. For uniformity, we consider the former also to be equipped with the 
uniformizer i: — \ and the trivial valuation ordi,(a;) = for x € F^ . 

Let Q : M Rhe a. quadratic form over R. Then since i? is a PID, M is free of 
rank n, say. We will now seek to find a basis for i?" in which a quadratic form Q 
has a particularly simple form: we will seek to diagonalize Q as far as possible. In 
cases where 1/2 € R, we can accomplish a full diagonalization; otherwise, we can 
at least break up the form orthogonally into distinguished forms of dimension at 
most 2, as follows. 

A quadratic form Q over R is atomic if either: 

(i) Q = (a) for some a S R^ , or 

(ii) 1/2 ^ R and Q = [a, b, c] with a,b,c £ R satisfying 

ordi,(6) < ord„(2a) < ord„(2c) and ord„(a) ord„(6) = 0. 
In case (ii), we have ordt,(2) > and ord„(6^ — 4ac) — 2ord„(6). 

Example 3.8. If 1/2 G R, then clearly a quadratic form Q is atomic if and only if 
Q{x) = ax'^ for a e R^ . 

Example 3.9. If F is a field with charF ^ 2, then [a, 6, c] is atomic if and only if 
b e F^; replacing a; by a; + 1 and scaling y by a/b and then realizes this form as 
isomorphic to a[l, 1, b] with a G F^ . 

Example 3.10. Suppose i? — Z2 is the ring of 2-adic integers, so that OTdy{x) = 
ord2(a::) is the largest power of 2 dividing x e Z2. Recall that Z2 ^ is represented 
by the elements ±1, ±5, therefore a quadratic form Q over Z2 is atomic of type (i) 
above if and only if Q{x) = or Q{x) = ±5a;^. For forms of type (ii), the 
conditions ordi,(5) < ord^(2a) = ordi,(a) + 1 and ordy(a) ordt,(6) = imply in fact 
ordy(6) — 0, and so a quadratic form Q over Z2 is atomic of type (ii) if and only if 
Q{x, y) = ax^ + xy + cy^ with ord2(a) < ord2(c). 

Proposition 3.11. Let Q : M ~> R be a quadratic form. Then there exists a basis 
of M such that the form Q can be written 

where the forms Qi are atomic and < ei < • • • < < c». 

In the above proposition, we interpret tt°° = 0. A form as presented in Propo- 
sition [3TTT] is called normalized, and the integer for the atomic form Qi is called 
the valuation of Qi. 
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Example 3.12. By Example 13.51 if i? is a quaternion algebra over a field F then the 
quadratic form nrd is normalized in the basis 1, «, j, ij, with a similar statement for 
nrdo. 

For completeness, we give an algorithmic proof of Proposition 13.111 which is 
standard. (Over fields, see Lam [201 §1-2], and see Scharlau [31, §9.4] for fields of 
characteristic 2.) 

Algorithm 3.13. Let i? be a computable ring which is either a field or a local PID 
with (computable) valuation ordt, : R Z>o U {oo}. 

Let Q : Af -> i? be a quadratic form over R and let ei, . . . , e„ be a basis for M. 
This algorithm returns a basis of M in which Q is normalized. 

1. If T{ei,ej) — for all return fi := e^. Otherwise, let («,j) with 
1 ^ * ^ J ^ be such that ordy T{ei,ej) is minimal, taking i = j if 
possible and if not taking i minimal. 

2. Suppose i = j. Let /i := e.^ and let := ei. For fc = 2, . . . , n let 

Let m = 2 and proceed to Step 5. 

3. Suppose i ^ i and 1/2 G R. Let /i := e,; + ej and :— ei. For fc = 2, . . . , n, 
let 

Let m = 2 and proceed to Step 5. 

4. Suppose 1/2 ^ R (and i ^ j). Let 

^ord,T(e,,ej) 

/2 Gj, ei ei and := 62. Let d r(/i, /i)T(/2, /2) - T(/i,/2)^ 
For fc = 3, . . . , n, let 

ifc r(/i, /2)T(/2, efe) - T{h, h)T{h,ek) 
Uk ■■= r(/i, /2)T(/i, efc) - r(/i, /i)T(/2, efc) 

and let 

/fc efc + — -/i + —J2- 
a a 

Let m = 3. 

5. Recursively call the algorithm with M = Rfm © • • • ® Rfn, and return 
/i, . . . , /„i_i concatenated with the output basis. 

Given such a basis, one recovers the normalized quadratic form by factoring out 
in each atomic form the minimal valuation achieved. (One can also keep track of 
this valuation along the way in the above algorithm, if desired.) 

Proof of correctness. The only nontrivial steps are Step 3 and Step 4. In Step 3, 
we need to verify that ordi, T{fi, fi) < ordy T(fi, e^). Indeed, we have 

T{fi, fi) = T{ei, ei) + 2T{ei, ej) + T{ej,ej) 

and so ord^, T(/i, /i) — ordi, r(ei, ej) by the ultrametric inequality and the hy- 
potheses that ord„ T(ei, ej) < ordy T{ei, Ci), T{ej, ej) and ordt,(2) = 0. 
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In Step 4, we set fk ■— ek+tkfi+Ukf2 and solve the linear equations T(/i, fk) = 
T{f2, fk) = for tk,Uk- The result then follows from a direct calculation, coupled 
with the fact that ordi,(o?) = 2 ordt, r(/i, /2) < ord„(ife) (and similarly with Uk)- 
This case only arises if (and only if) 

ord,T(/i,/2) < ord,T(/i,/i) = ord,(2g(/i)) < ord„(2g(/2)) 

so the corresponding block is indeed atomic. □ 



Example 3.14. TO DO : Examples! 



We note that this algorithm requires O(n^) arithmetic operations in R. This 
algorithm can be modified suitably to operate on the Gram matrix {T{ei, ej))i,j of 
the quadratic form Q, which as explained above recovers the quadratic form when 
2 7^ e i?. 

For a quadratic form Q : AI R, we define 

rad(Q) = {x E M : T{x, y) ^ for all y e M}; 
we say Q is nonsingular if rad((5) = {0}. 

Example 3.15. We have rad((3 _L Q') = rad(Q) © rad((5'), and if Q is atomic then 
rad((5) — {0}. In particular, one can read off rad((5) directly from a normalized 
form from the corresponding valuations. 

Identifying quaternion algebras. Using the above normalization of a quadratic 
form in the case where i? = _F is a field, we can directly identify quaternion algebras 
amongst algebras with a standard involution. 

Proposition 3.16. Let B be an F-algebra with a standard involution. If dim p B — 
4, then B is a quaternion algebra if and only if nrd is nonsingular. 



Proof. If _B is a quaternion algebra, then nrd is nonsingular by Example [ 

Conversely, B has a normalized basis l,i,j,k. First suppose chari^ 7^ 2. By 
orthogonality we have trd(i) = so = — nrd(i) = a 7^ by nonsingularity 



and similarly j = b ^ 0, and ji + ij = from (13. 3p . Thus B = j ■ The 

case charF = 2 follows similarly: now instead we have + i — a and ji ~ ij = 
{i + l)j. □ 

Proposition 13. 161 vields the following algorithm. 

Algorithm 3.17. Let B be an F-algebra with dim^ B = A (specified by a multipli- 
cation table). This algorithm returns true if and only if i? is a quaternion algebra, 

^ a,b 

and if so returns an isomorphism B = 



F 

1. Verify that B has a standard involution by calling Algorithm 12.101 If not, 
return false. 

2. Compute a normalized basis l,i,j, k for the quadratic form nrd : B ^ F 
by calling Algorithm 13. 131 

3. Test if nrd is nonsingular as in Example 13.151 If so, return true and the 

quaternion algebra given by the standard generators i,j. 
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Remark 3.18. Given a quaternion algebra over Q, Ronyai [27, Theorem 2.1] gives 
an algorithm to compute a standard representation, but this algorithm tests a 
polynomial of degree 2 over Q for irreducibility; the above algorithm requires no 
such test. 

Remark 3.19. If in Step 3 one finds that nrd is not nonsingular, then one has the 
further refinement of Algorithm 13 . 1 71 as follows. 

We denote by rad(_B) the Jacobson radical of B, the largest two-sided nil ideal 
of B, i.e. the largest two-sided ideal in which every element is nilpotent. An algebra 
B for which rad(i?) — {0} is called semisimple. We claim that rad(i?) — rad(nrd). 
Indeed, let e E B be nilpotent, so that — 0. For any x G B, we have by p.3p 
that 



It follows that e generates a nil ideal if and only ii T{x,e) — for all x E B, which 
holds if and only if x S rad(nrd). Thus rad(i?) = rad(nrd). One can then easily 
modify the algorithm to output rad(-B) — rad(nrd). 

Remark 3.20. Another algorithm which tests if B is a quaternion algebra (but 
does not give a standard representation) under the assumption charF = runs 
as follows. (See Lam [20l Chapter 4] for the standard facts we use.) By the 
Wedderburn-Artin theorem and a dimension count, the algebra B over F is a 
quaternion algebra if and only if B is central and semisimple. We verify that 
B is central as in Remark 11.41 To verify semisimplicity, if char F = 0, Dickson 
[TOl §66] showed that B with dim^^i? = n is semisimple if and only if the matrix 
(Tr(eiej))i has full rank n, where Tr is the (left) algebra trace. 

In view of Algorithm 13. 17[ we assume from now on that a quaternion algebra B 
over a field F is given as input by a standard representation. 

Over a general domain R, the above algorithms do not generalize, as we cannot 
hope to normalize a quadratic form as over a local PID (or field). Indeed, the 
category of quadratic forms over a general domain R can be quite complicated — 
already forms over the integers Z are of significant interest. Over Dedekind domains, 
one instead understands orders as in Section 1 via their localizations; we return to 
this topic in later sections. 



In this section, we address the computational complexity of identifying the ma- 
trix ring over a field. Throughout this section, let F be a computable field. We 



represent a quaternion algebra B over _F by a standard form B = i — ^ j , as in the 



previous section. 

Problem (IsMatrixRing). Given a quaternion algebra B over F, determine if B = 



We may also ask for a solution to the more difficult problem of constructing an 
explicit isomorphism. 

Problem (ExhibitMatrixRing). Given a quaternion algebra B over F, determine if 
B = M2 (F) and, if so, output such an isomorphism. 



xe + ex — trd(a:)e — trd(xe). 



4. Identifying the matrix ring 




M2{F). 
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Zerodivisors. Let S be a quaternion algebra. The fohowing structural lemma 
allows us to address the above problems. 

Lemma 4.1. The following are equivalent: 



(ii) B is not a division ring; 

(iii) There exists a nonzero e G i? such that e^ = 0; 

(iv) B has a proper, nonzero left (or right) ideal I. 

U B = M2{F), we say that B is split. More generally, if X D F is a field 
containing F, then we say K is a splitting field for B if Bk — B <Sif K is split. 

We give a proof of Lemma |4. II in an algorithmically effective way in this section. 
The implication (i) (ii) is clear. The implication (ii) => (iii) is obtained as follows. 

Algorithm 4.2. Let x E B he a zerodivisor. This algorithm returns a nonzero 
element e E B such that = 0. 

1. If trd(x) — 0, return x. 

2. Compute ^ y G B orthogonal to 1, a: with respect to the quadratic form 
nrd. If xy — 0, return y; otherwise, return xy. 

Proof of correctness. The element x 7^ is a zerodivisor if and only if nrd(a;) — 
XX — 0. Since y is orthogonal to l,x we have trd(y) = so y = ~y and hence 
trd(a;?/) = — trd(a;?7) = 0. If xy = then y is a zerodivisor. If xy 7^ then 
nrd(a;y) = nrd(a;) nrd(y) = 0, as desired. □ 

The impication (iii) (iv) follows, since e generates a proper left (or right) ideal. 
Below, in the proof of correctness of the following algorithm, we will show that if 
/ = Be then dim^? 1 — 2; the equivalence then follows since left multiplication gives 
a nonzero i^-algebra map B — Fjndp{I) = M2(-F) which is injective since B is 
simple and therefore an isomorphism as dimp B = A = divap M2(F). 

Algorithm 4.3. Let e E B satisfy ~ 0. This algorithm returns a standard 

representation B = ( ) — M2{F). 



1. Find k E {i,j, ij} such that trd(eA;) = s 7^ 0. Let t = trd(A;) and n = nrd(fc), 
and let e' = — (l/s)e. 

2. Let j' ^ k + {-tk + n + l)e' and let 



[k + {{t + l)k + n+l)e', ifchari^ = 2. 
Return i',j'. 

Proof of correctness. In Step 1, if trd(efc) = for all such k then e E rad(nrd), 
contradicting Lemma [3. 161 We have trd(e'fc) — trd(fce') = — 1. 

Consider I — Fe' + Fke' . Note trd(fce') 7^ implies that e',ke' are linearly 
independent. Let A be the subalgebra of B generated by e' and k. We have 
e'k + ke' — te' + 1 and k^ — tk — n, and thus we compute that left multiplication 
yields a map 



(i) B^M2{F); 





if char ^ 2; 



A^Endpil) = AMF) 
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A direct calculation then reveals that j' i-^ ^ and i' i-> if char 7^ 2 

and^'^(j ;)ifcharf = 2 , as in Example 11.81 

It follows all at once that A = B, that / — Be', and that the map B M2(F) 
is an isomorphism. □ 

Remark 4.4. An algorithm like the above which requires linear algebra in F is 
claimed but not exhibited explicitly in ^27^; see also [30l, §5.1]. 

Conies. We have already seen in Lemma ITT] that B = M2{F) if and only if there 
exists ^ e E B such that = 0. To this end, let 

Bo^iae B : trd(e) = 0}. 

We have dimp Bq ~ 3, and given a standard representation for B = we 

have a basis for Bq given by if chari^ ^ 2 and if chari^ = 2, as in 

Example 13.51 

We may identify the set P{Bo) — Bq/F* with the points of the projective plane 
P^(i^) over F. Then the equation nrdo(a;, y, z) — yields a conic C C defined 
over F, a nonsingular projective plane curve of degree 2. 

Lemma 4.5. Let B he a quaternion algebra over F . Then the following are equiv- 
alent: 

(i) B = AhiF). 

(v) The quadratic form Q = nrd \b„ associated to B represents zero over F. 

(vi) The conic C associated to B has an F -rational point. 

Therefore we are led to the following problems. 

Problem 4.6 (HasPoint). Given a conic C defined over a field F, determine if C 
has an F -rational point. 

Problem 4.7 (ExhibitPoint). Given a conic C defined over a field F, determine if 
C has an F -rational point and, if so, output such a point. 

These problems could be equivalently formulated as follows: given a nonsingular 
ternary quadratic form Q : V ^ F, determine if F is isotropic (represents zero 
nontrivially) and, if so, find ^ x £V such that Q{x) = 0. We find the geometric 
language here to be more suggestive, but really these are equivalent ways to describe 
the same situation. 

By Lemma 13. Ill given a conic C over a field F, there is a (deterministic, 
polynomial-time) algorithm which computes a change of coordinates in which C 
is given by the equation 

ax'^ + by'^ + cz^ = 
if char F ^ 2 with a,b,ce F^, and 

ax'^ + axy + aby^ + cz^ = 



if charF — 2, with a, c e F^ by Example 13. 91 In the first case, multiplying through 
by abc 7^ we obtain bc{ax)^ + ac{by)'^ + {abc^)z^ = which arises as the form 

associated to ( ^ j ; in the second case, we multiply through by c 7^ to 



16 



JOHN VOIGHT 



b, ac 



obtain (ac)x^ + (ac)x2/+6(ac)j/^ + (cz)^ = which is associated to j ■ Together 

with Algorithm 14.31 therefore, we arrive at the fohowing lemma. 

Proposition 4.8. The association B i-^ C ~ rndg gives a bijection between quater- 
nion algebras over F up to isomorphism and conies over F up to isomorphism. 

Problems (IsMatrixRing), (ExhibitMatrixRing) are (deterministic polynomial-time) 
equivalent to Problems (HasPoint), (ExhibitPoint), respectively. 

Proof. We need only identify isomorphisms: we need to show that two quaternion 
algebras B = B' are isomorphic if and only if the induced conies C = C are 
isomorphic. 

We treat only the case charF 7^ 2; the case charF = 2 follows similarly. If 
: B — >■ B' is an isomorphism of quaternion algebras, then 0(1) = 1 so (f){Bo) ~ Bg, 
and the reduced norm is determined by the standard involution which is unique, so 
(j> o nrds = nrdfi'. Conversely, suppose 4' ■ C ^ C is an isomorphism. Choose a 
quadratic form Q so that C is given by Q = in Pj^, normalized and scaled so that 



Q = nrdo for some B = I ) . Choose similarly Q' for C . Then ip is given by an 



element of PGL3(F) and there exists a lift of to GL3(F) such that ip o Q ~ Q'. 
The F- linear map tp : Bq —i' Bq extends naturally (defining (j>{l) = 1) to an F-linear 
map which we also denote ijj : B ^ B' , and we must show that ip is an F- algebra 
isomorphism. 



Suppose B — I —y- j . Then we have nrd(V'(i)) — nrd(i) — —a and nrd(?/'(i)) = 



ip{i)tp{i) — —ip{i)'^ so ip{i)'^ — a. Similarly we have V'(j)^ = b. Finally, we have 
ji = —ij since i,j are orthogonal, but then 'ip(i),ip{j) are orthogonal so ip{j)'>p{i) ~ 



We conclude this section by considering a simple case of the above problems. 
First, let F = be a finite field with q elements. Indeed, Problem (HasPoint) is 
trivial: since every conic over a finite field has a point (an elementary argument), 
one can simply always output truel 

For problem (ExhibitPoint), we will make use of the following related problem. 

Problem 4.9 (SquareRoot). Given a E F^^, output b £ F^ such that b^ — a. 

We have two cases. First, if q is even, then one can solve Problem (SquareRoot) 
in deterministic polynomial time (by repeated squaring, since q—1 — #F2r is odd); 
for a conic in normalized form p.7p . this is already sufficient to solve Problem 
(ExhibitPoint). If q is odd, then there exists a deterministic polynomial-time algo- 
rithm to solve (ExhibitPoint) over ¥g by work of van de Woestijne [35]. There also 
exists a probabilistic polynomial-time algorithm, which intersects the conic with a 
random line and then calls (SquareRoot), and there is a probabilistic polynomial- 
time algorithm to solve (SquareRoot) but no deterministic such algorithm (without 
further assumption of a generalized Riemann hypothesis). The latter algorithm is 
extremely efficient in practice. 

Remark 4.10. It would also be interesting to study the corresponding problem where 
M2(F) is replaced by another quaternion algebra B': in other words, to test if two 
quaternion algebras B, B' over F are isomorphic and, if so, to compute an explicit 






□ 
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isomorphism. Since the reduced norm is determined by the standard invohition on 
a quaternion algebra, and this involution is unique, it follows that ii B = B' then 
nrds = nrds'; in fact, this is an equivalence even when restricted to the trace zero 
subspace |20j . Therefore one is led to consider the problem of determining if two 
quadratic forms are isometric and, if so, to compute an explicit isometry. 

5. Splitting fields and the Hilbert symbol 

In this section, we exhibit algorithms for solving the Problem (IsMatrixRing) over 
a local field of characteristic not 2: in this setting, our problem is otherwise known 
as computing the Hilbert symbol. 

Hilbert symbol. Let be a field with char F ^2, and let a,b e . The Hilbert 
symbol is defined to be 

[ — 1, otherwise. 
We begin by recalling a well-known criterion [36l Corollaire 2.4]. 

Lemma 5.1. A quaternion algebra split if and only if b £ Nx/f{K^ ), 

where K = F[i]. 

Here, we write K — F[i] = F® Fi to be the quadratic F-algebra generated by i. 

Proof. If 'Hi^/p{u + vi) = nrd(?i + vi) — b with x,y Cz F, then x — u + vi + j 
has nrd(a;) = nrd(ii + vi + j) = nrd(u + vi) + nrd(j) = & — & = 0, so _B is not 
a division ring, so B ^ M2{F) by Lemma [4.11 Conversely, if S ^ M2{F), then 

after conjugating by an element of GL2(-F) we may assume * 0^) (rational 

canonical form). The condition that ji = —ij implies that j i— > ( j and 

= — av^ = b — Nj^/p{u + vi). □ 

Lemma 5.2. We have {a,b)F = {b,a)F and {a,b)F ^ {—ab,b)F. Ift,u£F^ then 
{a,b)F = {at^,bv?)F. 

f a,b\ / b,a\ 

Proof. Interchanging i, j gives an isomorphism I ) \ ) ' ^^P^^'^^^S by 

f o,ib\ ( u^a,v'^b\ 
ui,vj gives an isomorphism I I — I — — I- By considering the algebra 

generated by we see that I j ^ I — ) ' 

Local Hilbert symbol. For the rest of this section, let F be a number field. For 
a place v of F, let Fy denote the completion of F at w and let Ry be its valuation 
ring. Let 7r„ be a uniformizer for Fy and let ky be the residue field of Fy . 

li a,b G Fjf , we abbreviate (a, b)y — (a, b) f„ . We now proceed to discuss the 
computability of (a, b)y, and thereby Problem (IsMatrixRing) for local fields Fy with 
chai ky ^ 2. 
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Remark 5.3. With Lemma 15.11 in mind, we recall the following facts about local 
norms. There is a unique unramified quadratic extension of F^^ obtained from 
the corresonding unique such extension of residue fields. Then N/f^/j^^(7^^) = 
X TT^ by Hensel's lemma, since the norm map in an extension of finite fields is 
surjective. For further details, see Neukirch [23l Corollary V.1.2] or Frohlich [12l 
Proposition 7.3]. 

We begin by recalling the following fundamental result concerning division quater- 
nion algebras over a local field [M', Theoremes II. 1.1, II. 1.3]. 

Lemma 5.4. Let v he a noncomplex place of F. Then there is a unique quaternion 
algebra over Fy which is a division ring, up to Fy-algebra isomorphism. 

Note that there is no division quaternion algebra over C since C is algebraically 
closed. The unique division algebra over M is the classical ring of Hamiltonians 

If V is nonarchimedean, then the unique division ring over Fy is 



given by By = ( — — — - ) , where Ky is the (unique) unramified quadratic extension 
\ Pv J 

oiFy. 

Let _B be a quaternion algebra over F. We say B is unramified (or split) at v if 
B ®F Fy ^ Al2{Fy), i.e. Fy is a splitting field for B; otherwise (if By is a division 
ring) we say B is ramified at v. 

A place w of F is odd if either v is real or v is nonarchimedean and #fct, is odd; 
V is even if v is nonarchimedean and is even. For an odd place v and a G FJ^ , 
we define the square symbol 



if a e F^^; 

if a ^ F^'^ and ord,j(a) is even; 
if a ^ F^'^ and ord,j(a) is odd. 



Here we set the convention that w is a real place then 7r„ = — 1 is a uniforniizer for 

Fy = M. and that a = (— 1)°''^"'^''-' lal; in other words, < — > = 1 or according as 

l^i; J 

a > or a < 0. 

Suppose V is nonarchimedean. If ordy{a) — 0, then s — f = ( — ) is the usual 



Legendre symbol; in fact, < — > = if and only if ord^(a) is odd. Note that the 

[vj ^ 

square symbol is not multiplicative, for example < — > = l7^0=< — > ;itis 

^ ^ J . ^ " ^ . 

multiplicative when restricted to the the subgroup of elements with even valuation, 

however. 

Finally, we note that < — > = — 1 if and only if Fy(Ja) is an unramified field 
{v] 

extension of Fy and < — > = if and only if Fy(-Ja) is ramified; when v is real, we 
yv] 

follow the convention that C is considered to be ramified over M. 
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Proposition 5.5. Let v be an odd place of F and let a,b ^ . Then {a,b)y — 1 
if and only if 



fa] 


|. = 1 or <j 




!> = 1 or j 




|. = 1 or <j 




















{vj 




[vj 




I V J 




[vj 




[vj 



then Ky is not a field, so By is not a division ring and by Lemma 14.11 we have 

(a,b)y = 1. The same holds for < — > = 1 and < > = 1, since — b and 

[vj [ V ) 



(ijf = ~ab. 



fa] 






\vj 




[vj 



unramified quadratic extension of Fy (if v is real, then Ky — C). If v is archimedean 

then (a,b)y = —1 if and only if v(b) > if and only if i — 1 1 and we are in 

the previous case. If v is nonarchimedean, then since ordt,(&) is even, we have 
b E Nfc^/p^{K^) by Remark |5.3[ so by Lemma [5. II we again have that By is split. 



The only case that remains is when < — > = 0or< — > = (and v is nonar- 

[vj [vj 

chimedean). Since (a, b)y = {b, a)y, interchanging a and b we may assume < — > = 0, 



so ordt, b is odd. But then since (a, 6)„ = {—ab, b)y, we may assume 7^ and 

hence = — 1 . But now Fy [i] = Ky is the unramified quadratic extension of Fy so 
b ^ 1>ix^/F^{K^) so By is a division ring by Lemma I^TTl □ 



Corollary 5.6. Let a^b £ Ry \ {0} and suppose a G Ry . Then (a, b)y = ^— ^ 



ord^ h 



Representing local fields. When discussing computability for local fields, we 
immediately encounter the following issue: a local field Fy is uncountable, so it is 
not computable. 

One has at least two choices for overcoming this obstacle. One possibility is 
to use exact local field arithmetic, where one includes with the specification of an 
element its precision. One then requires the output of algorithms to be a continuous 
function of the input and to be correct with whatever output precision is given. 
This way of working with R (or C) also goes by the name exact real (or complex) 
arithmetic. This model has several advantages. In practice, for many applications 
this works extremely well: if more precision is required in the output, one simply 
gives more precision in the input. Consequently this model is also very efficient. 
Although this does method does not realize a local field F as a computable field, 
all of the algorithms we discuss in this article work well in this model for Fy . (One 
also has the choice if one works in fixed precision or allows each element to have its 
own floating precision; we do not address this important practical question here.) 

A second method is simply to work in a computable subfield F of the local field 
Fy. Indeed, any subfield F which is countably generated over its prime field is 
computable. In this article, we will take this approach; it is more appropriate for 
the theoretical discussion below (even as it will be less efficient in practice). 
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With this discussion in mind, we represent a local field as follows. First, let F 
be a number field. Let w be a place of F . If v is archimedean, then it is specified by 
some ordering of the roots of / in C. If v is nonarchimedean, then v is specified by 
a prime in a ring of integers in F. We can thereby compute a uniformizer tt^ £ F 
for the place v by the Chinese remainder theorem. 

We then represent the local field as F(, = F D F^, an algebraic closure of F 
in Fy. Given a (monic) polynomial g with coefficients in F, there exists a de- 
terministic algorithm which returns the roots of g in Fy (as elements of F^). In 
the nonarchimedean case, Hensel's lemma provides the essential ingredient to show 
that one can (efficiently) compute with F^. With this choice, by computing in the 
subfield generated by any element x d F^ we can compute the discrete valuation 
ovdy : — > Z as well as the reduction map Ry — ky modulo 7r„. When v is real, 
we recall that ordi,(a) = 0, 1 according as a > or a < 0, and so the computability 
of ordt, follows from well-known algorithms for exact real root finding. 

The above discussion applies equally well to the case of global function fields; 
see Remark 1 1.1 1 For more on computably algebraically closed fields, we refer again 
to Stoltenberg-Hansen and Tucker [35]. 

Computing the local Hilbert symbol. To conclude, we discuss the computabil- 
ity of the Hilbert symbol for odd places using Proposition 15.51 We use Proposition 
15.51 and the correspondence above to relate Problem (HasPoint) to the problem of 
computing the square symbol. 

Suppose Fy is archimedean. The Hilbert symbol for = C is trivial. If v is 

real, then < — } = 1,0 according as a > or a < 0, so by the correspondence 
[vj 

above this solves (HasPoint) for these fields. It follows that Problem (ExhibitPoint) 
is equivalent to Problem (SquareRoot), and there is a deterministic algorithm to 
solve this problem in the computable subfield = n F^, by hypothesis. 

Next, suppose Fy is nonarchimedean and that v is odd. Then we can evaluate 

— > by simply computing ordt,(a) = e; if e is odd then < — > = 0, whereas if e is 
vj [vj 

even then ^ (~) ^^^^"^ ~ '^^^ ^'^'^ (^) ~ (^) ^^"^ usual Legendre 

symbol, defined by 



if a = (mod p) 



(5.7) ( - J = < 1, if a ^ (mod p) and a is a square modulo p . 

^ otherwise. 

The Legendre symbol can be computed in deterministic polynomial time by Euler's 
formula 

'":o\ _ (#fc„-i)/2 , X 
- an t n,, 



\ V 

using repeated squaring. 

To solve Problem (HasPoint) we have two cases. In the first case, where one 
value of the square symbol is equal to 1, we reduce to Problem (SquareRoot) over 
F^ which we can solve by the above. Otherwise, if all three symbols in Proposition 
I5.5l are —1, then also by Hensel's lemma. Problem (ExhibitPoint) over is reducible 
to Problem (ExhibitPoint) over ky, which was discussed at the end of the previous 
section. 
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If we restrict our input to a global field F, then an runtime analysis of the above 
method yields the following. 

Proposition 5.8. Let F be a number field and let v be an odd place of F. Then 
there exists a deterministic polynomial-time algorithm to evaluate the Hilbert symbol 
(a, b)v for a,b e F^ . 

Remark 5.9. By Hilbert reciprocity, we have 



whenever is a global field and a, & e F^. Consequently, if one can compute aU 
but one local Hilbert symbol {a,b)y, then the final symbol can be recovered from 
the above relation. In particular, this means for a number field F, if there exists a 
unique prime above 2 (e.g. when F = Q) then one can evaluate (a, 6)2 in this way. 



In this section, we discuss the computation of the local Hilbert symbol for an 
even place of a number field F. The main result of this section is the following 
theorem. 

Theorem 6.1. Let F be a number field and let v be a place of F. Then there exists 
a deterministic polynomial-time algorithm to evaluate the Hilbert symbol (a, &)„ for 
a,be F. 

If V is an odd place of F then Theorem 16.11 follows from Proposition 15.81 So 
suppose that v is an even place of F, i.e. #fci, is even. Let be the ring of 
integers of F and let p be the prime of Zp corresponding to v. 

We first give an algorithm which gives a solution to an integral norm form via a 
Hensel-like lift. 

Algorithm 6.2. Let p an even prime with ramification index e = ordp 2, and let 
a, 6 e Zp be such that ordp(a) = and ordp(6) = 1. This algorithm outputs a 
solution to the congruence 



with y,ze Zp/p'^^ and y G (Zp/p)''. 

1. Let / e Z>i be the residue class degree of p (so that ^{Zp/p) = 2^) and 
let q ^ 2^. Let tt be a uniformizer at p. 

2. Initialize {y,z) := (1/^^,0). 

3. Let TV := 1 - ay2 _ 5^2 g Zp/AZp and let t := ordp(iV). If t > 2e, proceed 
to Step 4. Otherwise, if t is even, let 



(5.10) 



[|(a,6)„ = 1 



V 



6. The even local Hilbert symbol 



1-ay^ - bz^ = (mod p2<=) 




and if t is odd, let 




4, 



Return to Step 3. 
Return y, z. 
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In this algorithm, when we write ^Ju for u G (Zi^/p^*^)^ we mean any choice of 
a hft of G {^fI^Y to Z_F/p2e. 

Proof of correctness. The key calculation in Step 3 is as follows: if t is even, we 
make the substitution 

l-a{y + u7r*/2)2 - bz'^ = JSf ^ 2aun*/^y - au^ii* = (mod p*+i) 

and solve for u. Note that since i < 2e we have ordp(27r*/^) = e+t/2 > solving 
we get = iV/(a7r*) (mod p) as claimed. The case where t is odd is similar: we 
have 

1 - - b{z + v/A^/fe7r*-i7rLt/2j )2 = - 26zyW^^i^7rL*/2J - 5(A^/fo7r*-^)7r*~i 

= iV-A^ = (modp*+i) 

and the middle term above vanishes modulo p*+^ since t < 2e implies e + l+ [t/2\ — 
e + 1 + (i - l)/2 > t + 1. □ 

Remark 6.3. Alternatively, we can compute a solution modulo 2 directly. The map 

(y, z) 1-^ 1 — ay"^ - bz'' 

is Zf/P = Fg-linear since 2 = (mod p*^). Let {yo, zq) be in the kernel of this map. 
Letting (a;, y, z) := (1, y^^^ , ^o^^)i 1 ~ '^V^ ^ = (mod 2). 

Remark 6.4. This is better than the algorithm provided in Simon's thesis |33| 
because we do not need to make a brute force search, which might not run in 
polynomial time. 

We reduce to the above Hensel lift by the following algorithm. 

Algorithm 6.5. Let p an even prime with ramification index e = ordp 2 and let 
a,b e Zf\ {0} be such that v{a) = and v{b) G {0, 1}. This algorithm outputs 

y, z,w Cz Iif/P"'^ such that 

l~ay^ - bz"^ + abvJ^ = (mod p^'^) 

and y G (Zi?/p^. Let tt be a uniformizer for p. 

1. If v{b) — 1, return the output (x, y, z, 0) of Algorithm 16.21 with input a, b. 

2. Supposea G (Zp'/p'^Zf)''^ and6 G (Zf/P'=Zf)''^ Let (ao)2a = 1 (mod p^) 
and (6o)^6 = 1 (mod p*^). Return 

y = ao, z = foo, w = ao&o- 

3. Swap a, b if necessary so that a ^ (Z^/p'^Zi?)^ . Let t be the largest integer 
such that a G (Zf/P*)""^ but a ^ (Zf/P*+^)''^ Then t is odd; write 
a = Oq + 7r*at with ao,at G Zj?. Let y, z be the output of Algorithm 16.21 
with input a, —Trat/b. Return 

1 7rL*/2J y7rL*/2J 

y = — , z = , = 

ao aoz aoz 

(reswapping if necessary). 
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Proof of correctness. In Step 3, writing aaQ = 1 + 2a' and bbo = 1 + 26' we indeed 
have 

l-a{aof~b(bof+ab{aobaf = l-{l+2a')-{l+2b') + {l+2a){l+2b') = (mod p'^") 
since 4 S p^*^. 

Now we discuss Step 4. Write a = Cq + aiir + • • • + fle-iTr*^"^ with e "Ep/p. 
Then indeed a G (Zf/P"^)^^ if and only if and Oi — for i odd by the freshperson's 
dream, so in particular t < e. Now suppose we have 

1 - ay^ + (7rat/6)z^ = (mod 4). 

Note z £ (Zi?/p)^ since otherwise a E {Zp /p'^^^)^'^ , a contradiction. Multiplying 
by — 67r*^-'-/z^ gives 

-6(7rL*/2J /z)2 + a6(y7rL*/2J /z)2 _ 7r*at = (mod p^'^) 

so 

ao - (oo + T^tat) - fc(7rL*/2J /z)2 + a6(?/7rL*/2J /^)2 ^ q (^^^^ p2e) 
so since a — aQ + TTtOt, dividing by a§ we have the result. □ 
We are now prepared to evaluate the even Hilbert symbol. 

Algorithm 6.6. Let B = ^^r^ be a quaternion algebra with a, 6 € , and let 

p be an even prime of F. This algorithm returns the value of the Hilbert symbol 
(a,6)p. 

1. Scale a, b if necessary by an element of Q^^ n Z so that a,b E 'Zp. 

2. Call Algorithm ESI and let i' := {l + yi + zj + wij)/2. Let /(T) = T^-T + 
nrd(A;) be the minimal polynomial of i' . If / has a root modulo p, return 1. 

3. Let / := {zb)i — {ya)j and let b' := (j')^- If oi'd^ ^' is even, return 1, 
otherwise return —1. 

Proof of correctness. If in Step 2 we have a root modulo p, then by Hensel's lemma, 
/ has a root in Fp, hence i' is a zero divisor and we return 1 correctly. Otherwise, 
by Lemma 15. 4[ we have Kp = Fp [i] is the unramified field extension of Fp . We 

compute that trd(/) ~ trd(i'j') — 0, so Bp ^ ( — EiA j and Bp is split if and only 

if ordp b' is odd. □ 

Note that the above algorithms run in deterministic polynomial time. 

Computing the Jacobi symboL An interesting consequence of the above algo- 
rithm is that one can evaluate the Jacobi symbol in deterministic polynomial time 
in certain cases analogous to the way ("reduce and flip") that one computes this 
symbol using quadratic reciprocity in the case F = Q. (See Lenstra [22] for an 
alternative approach which works in greater generality.) 

We extend the definition of the Legendre symbol (|5.7p to a symbol ^— ^ with b 
odd by multiplicativity, and we define 



.bJ \bZf 

We write v \ 2oo for the set of finite even places and real archimedean places of 

F. 
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Proposition 6.7. Let a,b E 'Lf satisfy oLp + bl^p — "^f, with b odd, and suppose 
a = aooi with ai odd. Then 

'a\ / b 



i?| 2oo 



Proof. By Hilbert reciprocity (|5.10p . we have 

Y[{a,b),^l^ Y[{a,b), Yl{a,b),. 

V v\2oo i>f2oo 

By Lemma [5751 if p is odd and ordp(a) — ordp(6) = then (a, 6)p = 1. Therefore 

p|ai6 v\2oo 

For p odd, if ordp ai > then ordp 6 = by assumption and thus 



{a,b)p 

Similarly if ordp 6 > then (a, fe)p = ( ^ ) , hence 

n 

The result follows. □ 



A Euclidean function on is a map N : 'Lp\ {0} — > Z>o such that for all 
a,b S "Lp^ there exists g,r £ "Lp such that a = qb + r with either r = or 
A^(r) < N{b). A Euclidean function is computable if given a,&, the elements q,r as 
above are computable. 

Algorithm 6.8. Let F be a number field with a computable Euclidean function 
N and let a, 6 e Zp \ {0}. This algorithm returns the Jacobi symbol (^—^ . 

1. Initialize z = 1. 

2. If bZp = Zp, return z. Otherwise, compute q,r ^ Zp such that a = qb + r. 
If r = 0, return 0. Let a := r. Write a = apOi with ai € Ip odd. 

3. Multiply z by nD|2 oo(^' computed using Algorithm l6.6l Return to Step 
2, with (a, 6) ~ (b,ai). 

Proof of correctness. We need only remark that the division algorithm associated to 
N implies that l^p has unique factorization, so we can indeed write a = agai with oi 
odd. The algorithm terminates because in Step 4 we have N{a) = N{r) < N{b). □ 

Remark 6.9. For any fixed F, one can precompute a table of the values (a, b)p for 
a, b in appropriate residue classes modulo an even prime p; this is usually what is 
usually done for = Q, for example. 
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Relationship to conies. In view of the results in Section 4, we now relate the 
above algorithms to the geometric problem of rational points on conies. 

Theorem 6.10 (Hasse-Minkowski) . A quaternion algebra B has B ^ M2(i^) if 
and only if B is unramified at all places. 

Equivalently, a conic C has C{F) 7^ if and only if C{Fy) 7^ for all places v of 

F. 

For a proof of this result, see Lam 20 , O'Meara [24], or Vigneras |36l §111.3.1] 

Proposition 6.11. Problem (IsMatrixRing) is deterministic polynomial-time re- 
ducible to the problem of factoring ideals inl^p. 

Proof. Given a quaternion algebra B — (— ^ ), we have By ^ M2{Fy) for all 



^ F , 

V \ 2aboo, and by factoring by the above algorithms for each v \ 2aboo we check if 
By ^ yL2{Fy) by computing the Hilbert symbol {a,b)y in deterministic polynomial 
time. □ 



7. Maximal orders 

In this section, we consider some integral versions (for orders) of the above algo- 
rithms relating quadratic forms and quaternion algebras. Our main result relates 
identifying the matrix ring to computing a maximal order. Throughout this section, 
let F be a number field, let Zi;- be its ring of integers, and let C be a {Zp-)oidei 
in a quaternion algebra B over F. For further reading, see Reiner [2 6) or Vigneras 

m- 

Computing maximal orders, generally. There exists a deterministic algorithm 
to compute the ring of integers Zp (see Cohen [SI §6.1], [71 Algorithm 2.4.9]): in 
fact, computing Zp is deterministic polynomial-time equivalent to the problem of 
finding the largest square divisor of a positive integer [51 121j ; no polynomial-time 
algorithm is known for this problem (though see work of Buchmann and Lenstra 
[3] for a way of "approximating" lip). 

Example 7.1. If F = Q{VD), then R = 1 ® Z{d + Vd)/2 where D = df^ and is 
the largest square divisor of D subject to the requirement that d = 0, 1 (mod 4). 

We consider in this section the noncommutative analogues of this problem. We 
have the following general result due to Ronyai [IH Theorem 5.3]; see also Friedrichs 

m- 

Theorem 7.2. There exists an explicit algorithm which, given a semisimple F- 
algehra B , computes a maximal order O d B. This algorithm runs in deterministic 
polynomial time given oracles for the problems of factoring integers and factoring 
polynomials over finite fields. 

At present, it is not known if there exist deterministic polynomial-time algo- 
rithms to solve either of these latter two problems. Indeed, we have already noted 
that computing a maximal order in F is as hard as computing the largest squarefree 
divisor of a positive integer; therefore, it is reasonable to expect that the problem 
for a noncommutative algebra B is no less complicated. (See a more precise char- 
acterization of this complexity at the end of this section.) 
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We do not discuss the algorithm exhibited in Theorem 1 7. 2 1 rather, we consider 
the special case of quaternion algebras, and by manipulations with quadratic forms 
we obtain a simpler algorithm. 

Discriminants. We begin by analyzing the following problem. 

Problem 7.3 (IsMaximal). Given an order O C B, determine if O is a maximal 
order. 

This problem has a very simple solution as follows. The discriminant T){B) of 
B is the ideal equal to the product of all primes of Zj? where B is ramified: 



On the other hand, the discriminant disc(C') of an order O C i? is the ideal 
generated by the set 

{det{tTd{xiXj))i^j^i^,,,A : xi, . . . ,X4 & O}. 

The discriminant disc(C') is the square of an ideal in Z^?, and the reduced discrim- 
inant 0(0) of O is the ideal satisfying 0(0)^ = disc(C'). 
Given a pseudobasis {ai,Xi) for O we have 

disc(C') = (oi • • • 04)^ det(trd(xja;j))ij=i^...^4. 

Remark 7.4. Although we will not use this in the sequel, the reduced discriminant 
can in fact be computed more simply: if O = Z^? ai ® bj ® cfc then 

d{0) = abctTd{{ij ~ ji)k). 

Lemma 7.5. An order O C B is maximal if and only ifd{0) = 

Proof. We give only a sketch of the proof. For a prime p of Zp, let 'Z'F,p be the 
completion Zp at p and Fp the completion of F at p; write Op — O (^Zp Zp^p 
and similarly Bp ~ B ®f Fp. 

We have 0(0) = D{B) if and only if c)(0)p = 0(Op) = D(Sp) = S)(B)p for aU 
primes p, and the order O is maximal if and only if Op for every prime p of Zi? (see 
[251 11.2]). So it suffices to note that if p is unramified then any maximal order of 
Bp has discriminant Zi?_p and if p is ramified then the unique maximal order of Bp 



Putting these together with the computation of the local Hilbert symbol, we 
have shown that one can solve Problem (IsMaximal) in deterministic polynomial 
time given an oracle to factor integers and polynomials over finite fields, since this 
allows the factorization of the discriminant 23(-B) [BJ Proposition 6.2.8, Algorithm 
6.2.9]; note that this need only be done once for a quaternion algebra B. 

Computing mziximal orders. We now turn to the problem of computing a max- 
imal order in a quaternion algebra. 

Problem 7.6 (Algebra MaxOrder). Given a quaternion algebra B over F , compute 
a maximal order O d B. 

A more general problem is as follows. 

Problem 7.7 (MaxOrder). Given an order A <Z B in a quaternion algebra B over 
F , compute a maximal order O D A. 



s)(i?)= n p. 



p ramified 




□ 
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One immediately reduces from the former to the latter by exhibiting any order 
in B, as follows. (First, we compute "Zp as above; this can be considered a precom- 

putation step if F is fixed.) If _B = j may scale a, 6 by a nonzero square 

integer so that a,b G Zp, and then 

(7.8) K^Zp ®ZFi®ZFj ^Zpij 

is an order, where i,j are the standard generators for B. 

An order O is p-maximal for a prime p if Op = O ®ip Zf,p is maximal. To solve 
Problem (MaxOrder), we recursively compute a p-maximal order for every prime 
p I 0(O), proceeding in two steps. 

We say an order O is p-saturated if nrd has a normalized basis 1, i,j, k (see 
Proposition l3 . 1 1 1) such that each atomic block has valuation at most 1; we then say 
that l,i,j,k is a p-saturated basis for O. 

We compute a p-saturated order in the following straightforward way. We say 
that TT^^ e _F is an inverse uniformizer for p if ordp(7r^^) = —1 and ordq(7r^^) > 
for ah q 7^ p. 

Algorithm 7.9. Let 

A = Zp ® ai ® bj ® ck c B 
be an order and let p be prime. This algorithm computes a p-saturated order O D A 
and a p-saturated basis for O. 

1. Choose d e o such that ordp((i) = ordp(o) and let i :— di; compute similarly 
with j, k. Let O A. 

2. Run Algorithm l3.13l over the localization oiZp at p with input the quadratic 
form nrd \ o and the basis l,i,j,k; let ,j* ,k* be the output. Let d £ Zp 
be such that ordp d = and such that di* S O, and let i :~ di*; compute 
similarly with j, k. 

3. Let 7r~^ be an inverse uniformizer for p. For each atomic form Q in nrdo, let 
e be the valuation of Q, and multiply each basis element in Q by (7r~^)L'^/^J . 
Return O := A+ [Zpi ® Zpj Zpk) and the basis j, k. 

Proof of correctness. In Step 3, we are asserting that the output of Algorithm 13. 131 
leaves 1 as the first basis element. Indeed, we note that ordp trd(j) < ordp trd(i(ij)) 
since trd(«(ij)) = trd(i)^ — trd(j) nrd(i) and similarly ordp trd(?) < ordp trd((«j)j). 

Let l,i,j, fc be the basis computed in Step 3. By definition, this basis is p- 
saturated; we need to show that O is indeed an order. But O is an order if and 
only if is an order for all primes q, and we have Oq = Aq for all primes q ^ p. 

For any x, y G i? we have xy + yx = tTd{y)x + trd(x)y + T{x, y), so if O is an 
order then adjoining x to O yields a set which is multiplicatively closed if and only 
if T{x,y) £ Zp for all y E O. We have T{x,y) = Q if x,y are orthogonal, and if 
x,y are a basis for an atomic block Q then by definition the valuation of T{x,y) 
at least the valuation of Q and so we can multiply each by (7r~^)L^/^J , preserving 
integrality. □ 

After p-saturating, one can compute a maximal order as follows. 

Algorithm 7.10. Let A be an order and let p be prime. This algorithm computes 
a p-maximal order O D A. 

1. Compute a p-saturated order O D A and let 1, j, j, fc be a p-saturated basis 
for O. Let tt^^ be an inverse uniformizer for p. 
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2. Suppose p is odd. Swap i for j or k if necessary so that a := has 
ordp(a) = 0. Let b := p. If ordp 6 = 0, return O. Otherwise, if ordp h = 1 
and (a/p) = 1, solve 

= a (mod p) 

for X e '^fIP- Adjoin the element ti^^{x — i)j to O, and return O. 

3. Otherwise, p is even. Let t := trd(i), let a := — nrd(i), and let b :— p . 

a. Suppose ordp t = Q. If ordp 6 = 0, return O. If ordp 6 = 1 and 

— tT + a = has a root x modulo p, adjoin tt~^{x — i)j to O, and 
return O. 

b. Suppose ordp trd(i) > 0. Let y^z^w be the output of Algoritm 16.51 
with input a, 6. Let 

i' :— (7r^"'")'^(l + yi + zj + wij). 

Adjoin i' to O, and return to Step 1. 

Proof of correctness. At every step in the algorithm, for each prime q 7^ p the order 
Oq does not change, so we need only verify that Op is indeed a maximal order. 
In Step 2, we have that 6 is a uniformizer for p, that O(C'p) = 4a6Zi?^p = p, 

and that Bp = ( ) where Kp = Fp[i]. We conclude that Bp is a division 

ring (and hence Op is maximal) if and only if (a/p) = —1. If (a/p) = 1 and 
j' — TT^^{x — then form the Z^.p-basis for a maximal order, since 

(/)2 ^ (7r-i)2(a;2 - a)b G Zf,p and fi = -ij'. ' 

In Step 3, first note that ij is also orthogonal to we have i orthogonal to 
j so trd(zj) = so z is orthogonal to j, and similarly trd{iji) = trd(nrd(i)j) = 0. 

In particular, we have -Bp = [ — ) where Kp — Fp[i]. By a comparison of 

V ^P / _ 

discriminants, using the fact that the basis is normalized, we see that is a 

p-saturated basis for O as well, so without loss of generality we may take k — ij. 

Suppose first ordp trd(i) = 0, so we are in Step 3a. If ordp 6 = 0, then d{Op) — 
so Op is maximal. If ordp 6 > 0, then since the basis is p-saturated we have 
ordp 6=1. Thus as in the case for p odd, we have Bp is a division ring if and only 
if Kp is not a field, and as above the adjoining the element tt^^{x — i)j yields a 
maximal order. 

So suppose we are in Step 3b, so ordp trd(i) > 0. Since l,i,j,k is normalized, 
we have ordp trd(z) = ordpT(l,i) < ordpT(j, fc). Adjoining i' to O gives a Zf,p- 
module with basis since y G (Zi?/p)^; adjoining j' gives a module with 

basis 1, for the same reason. We verify that Op after these steps is indeed 

an order: we have trd(z') = 2{tt^^Y G Zp.p and nrd(«') = (7r^^)^'^(l — ay'^ — 6z^ + 
abw^) G Zf_p by construction, so at least Zp^pli] = '^F,p ® Z^^pZ is a ring. Similarly 
we have (j')^ = 6' G Z^.p. Finally, we have trd(z'i) = 2{Tr~^Yya and trd(i'j) = 
2(7r"i)^z6, so it follows that trd(z'j') = 0, and hence fi' = = -i'j'-trd{i')j', 
so indeed we have an order. □ 

Remark 7.11. One must really treat the even and odd prime cases separately. Con- 
sider, for example, F — Q, and the quaternion algebra B = ( — ^ — j. Then we 
have the maximal orders Z[(l +i)/2] C Q(i) = Q(V^) and Z[(l + j)/2] C 
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Q{sqrt5), but we find that 



2 J \ 2 J \ 2 J \ 2 J 2' 
which is not integral (since ij/2 has norm 15/4). 

Remark 7.12. In the proof of correctness for Algorithm 17.101 in each case where p 

is ramified in B we have in fact written Bp = ( — ^ — ) where Kp is the unramified 

, ,\ Fp J 

extension of Fp . The reader will note the similarity between this algorithm and the 
algorithm to compute the Hilbert symbol: the former extends the latter by taking 
a witness for the fact that the algebra is split, namely a zerodivisor modulo p, and 
uses this to compute a larger order (giving rise therefore to the matrix ring). 

Combining these two algorithms, we have the following immediate corollary. 

Corollary 7.13. There exists an algorithm to solve (ExhibitMatrixRing) for orders 
over Zi? p. 

(We recall the discussion in Section 4 for the representation of local fields and 
rings.) In other words, if O C S is an order in a quaternion algebra B over a 
number field F and p is prime of which is unramified in B, then there exists an 
algorithm to compute an explicit embedding O ^ M2(Op). 

Putting these two algorithms together, we have proved the following theorem. 

Theorem 7.14. Problem (MaxOrder) is deterministic polynomial-time reducible to 
the problem of factoring ideals in "Zp. 

Proof. Given any order A, we factor its discriminant c)(A), and for each prime 
p I f(A), we compute a p-saturated order containing A from Algorithm 17.91 and a 
p-maximal order O containing it using Algorithm 17. 101 □ 

Complexity analysis. Given Theorem 17. 14i we prove the following result which 
characterizes the abstract complexity class of this problem, following a hint of 
Ronyai [281 §6]. 

Theorem 7.15. Problem (AlgebraMaxOrder) for any fixed number field F is prob- 
abilistic polynomial-time equivalent to the problem of factoring integers. 

To prove the theorem, we will use two lemmas. The first lemma is a standard 
fact. 

Lemma 7.16. The problem of factoring integral ideals a of an arbitrary number 
field is probabilistic polynomial-time equivalent to the problem of factoring integers. 

Proof. Suppose a is an integral ideal of F. After factoring the absolute discriminant 
dp oi F, we can in deterministic polynomial time compute the ring of integers l^p 
of F as above. Now let a be an ideal with norm N(a) = a. After we factor a, 
for each prime p \ a, we decompose pZp = Y[ - Pi' into primes by a probabilistic 
polynomial time algorithm due to Buchmann and Lenstra [BJ Algorithm 6.2.9]: this 
algorithm uses a probabilistic algorithm to factor polynomials over a finite field, 
such as the Cantor-Zassenhaus algorithm; see von zur Gathen and Gerhard [131 
Theorem 14.14] or Cohen [SI §3.4]. (In fact, for our applications, it suffices to have 
an algorithm to compute a square root in a finite field, for which we may use the 
algorithm of Tonelli and Shanks [SI §1.5.1].) 
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From this list of primes we easily obtain the factorization of a. Conversely, if 
one has an algorithm to factor ideals, then one may factor oZf into primes and 
computing norms we recover the prime factorization of a over Z. □ 

Remark 7.17. Deterministically, already the problem of finding a nonsquare mod- 
ulo a prime p is difhcult; one unconditional result known is that the smallest qua- 
dratic nonresidue of a prime p is of size exponential in logp; under condition of a 
generalized Riemann hypothesis, one can find a quadratic nonresidue which is of 
polynomial size in log p. 

We will also make use of one other lemma. 

Lemma 7.18. Let a be an ideal of Zip which is odd, not a square, and not a prime 
power. Let 



S =\be {Ip/aY '■ ^^ere exist p'',q^ \\ a with 



-1 and ( - =1 



Then #5> i#(Zf/a)\ 

Proof. For an ideal b, let $(b) — #(Zi?/b)^. First consider the case where a = p'^q^ 
is the product of two prime powers. Without loss of generality, we may assume e is 
odd. If / is even, then b e S if and only if {b/p) ^ -1, so #5* = $(p'')/2 • $(q/) = 
$(a)/2. If / is odd, then #5* = 2($(p'=)/2)($(q/)/2) = $(a)/2. 

To conclude, write a = p'^q^b with b coprime to pq and e odd. Then by the 
preceding paragraph #S > (l/2)$(p'=q-'')<I>(b) = <I"(a)/2. □ 

Proof of Theorem 17.151 Since one can factor ideals in probabilistic polynomial time 
given an algorithm to factor integers by Lemma I7.16[ we may compute a maximal 
order as in the previous section as the resulting computations run in (deterministic) 
polynomial time. 

Now we prove the converse. Suppose we have an algorithm to solve Problem 
(AlgebraMaxOrder). Let a G Z>o be the integer to be factored, which we may 
assume without loss of generality is odd, not a prime power, and not a square. We 
can in constant time factor the absolute discriminant dp^ so we may also assume 
gcd(a, (ii?) = 1. It follows that the ideal aZp is also odd, not a prime power, and 
not a square. 

We compute a random b e "Lf/oLf with b ^ {). Since N(aZi?) — a'^ where 
d = \F : \i N(6Zi?) is not a power of a then dividing gcd(a'^, N(6)) by powers of 
a we obtain a factor of a. Otherwise, o = aZ^? -\- bljF is a proper divisor of oIfi 
and we repeat, computing a random b G ILfIo, — in at most d steps, we will either 
factor a or find an element b such that aZ^? -\- blLp = '^f ■ Note d depends only on 
F and not on i?, so we find such a 6 in probabilistic polynomial time. 

By Lemma 17.181 we can find in probabilistic polynomial time b G {Xp / a'Lp)''' 

such that p^q-^' || a with {b/pf = -1 and {b/q)f = 1, say. Let B = {^y)' 

By hypothesis, calling an algorithm to solve (AlgebraMaxOrder) we may compute a 
maximal order O G B. 

We claim thatp | c)(0) but q | Z)(C'). Assuming this, we have that gcd(N(£)(e')), a) 
is a proper factor of a, and the proof is complete. 
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First we prove that p \ 0(0). Since p is prime to dp, we know that p is unramified 
in F, and since p"^ || aZp with e odd, the extension F{y/a)/F is ramified at p. Since 
(&/p) = —1, by Corollarv l5.5[ the algebra B is ramified at p. Therefore by Lemma 
17. 5[ p divides the discriminant 0(0). 

Now we show that q | 5(0). If / is even, since q-'^ || aZp, we have that F{-s/a)/F 
is unramified at q; since also (6/q) ^ 0, by the same corollary, B is unramified at 
q. And if / is odd, then since {h/q)^ = 1 we must have (&/q) = 1, and again by the 
corollary it follows that B is unramified. □ 

Relationship to conies. We return once again to the theme of rational points on 
conies. 

We have seen that given an algorithm to factor integers, one can solve both prob- 
lems (IsMatrixRing), or equivalently (HasPoint), over a number field F in probabilis- 
tic polynomial time by factoring the discriminant and computing Hilbert symbols. 
We have also seen that (Algebra MaxOrder) over a number field F is probabilistic 
polynomial time equivalent to the problem of factoring integers. 

We are left to consider (ExhibitMatrixRing), or equivalently (ExhibitPoint). In the 
special case where F = Q, one shows that again they are reducible to the problem 
of integer factorization. 

Theorem 7.19 (Cremona- Rusin [8], Ronyai [15], Simon [34]). There exists an 
explicit algorithm to solve (ExhibitPoint) over Q which runs in deterministic poly- 
nomial time given an oracle to factor integers. 

From our point of view, the algorithm(s) described in the above theorem can be 
rephrased in the following way: there exists an explicit algorithm which, given a 
order O over Z of discriminant 1 which is split at oo, computes a zerodivisor x € O. 
This algorithm proceeds by computing a reduced basis of O with respect to the 
reduced norm nrd, a kind of indefinite LLL-algorithm. 

Question 7.20. Does there exist an algorithm which, given an order O over l^p of 
discriminant 1 which is split at all real places of F, computes a zerodivisor x G O? 

One possible approach to this conjecture, then, is to provide an indefinite LLL 
algorithm over F in the special case of Z^j'-module of rank 4 and discriminant 1. 
Perhaps one can prove this at least in the case where is computably Euclidean? 

We discuss the computational complexity of problem (IsMatrixRing) over Q in 
the next section (and relate this to the problem of factoring integers). From the 
discussion above, it seems reasonable to conjecture the following. 

Conjecture 7.21. Problem (ExhibitPoint) over (J is (probabilistic) polynomial-time 
equivalent to the problem of factoring integers. 

Having treated the case of number fields in some detail, we note that over more 
general fields, the literature is much less complete. 

Question 7.22. For which computable fields F is there an effective algorithm to 
solve Problems (HasPoint) and (ExhibitPoint)? 

For example, one may ask for which fields F is there an effective version of 
the Hasse-Minkowski theorem? Of course, if one can solve (HasPoint), then given 
a conic which is known to have a solution one can always simply enumerate the 
points of {F) until a solution is found. 



32 



JOHN VOIGHT 



8. Residuosity 



In this final section, we return to Problem (IsMatrixRing) and characterize its 
computational complexity. Let be a number field with ring of integers l^p. 

For a nonzero ideal b oUp^ let sqrad(b) be the product of the prime ideals p 
dividing b to odd exponent, or equivalently the quotient of b by the largest square 
ideal dividing b. 

Problem (QuadraticResiduosity). Given an odd ideal b and a E (Zp/b)^ , deter- 
mine if a E (Zi?/ sqrad(b))'*^, i.e., determine if a is a quadratic residue modulo 
sqrad(b). 

Problem (QuadraticResiduosity) reduces to the more familiar problem of qua- 
dratic residuosity when b is a squarefree ideal, namely, to determine if a e (Zi?/b)^^. 
If b = p is a prime ideal, one has a S (Z^/p)^^ if and only if (a/p) = 1, and this 
Legendre symbol can be evaluated in deterministic polynomial time (as discussed 
above, by repeated squaring). In general, for b squarefree, we have a S (Zj;-/b)^^ 
if and only if a G (Zi?/p)^^ for all primes p | b. In particular, by this reduction 
if one can factor b, one can solve Problem (QuadraticResiduosity). It is a terrific 
open problem in number theory to determine if the converse holds, even for the 
case F = Q and b generated by pq with p, q distinct primes. 

We first relate the problems (IsMatrixRing) and (QuadraticResiduosity) as follows. 

Proposition 8.1. Problem (IsMatrixRing) over F is deterministic polynomial-time 
reducible to Problem (QuadraticResiduosity) over F. 



Proof. Let B = ( — ^ j be a quaternion algebra over F. Scaling a, b by an integer 



square, we may assume a,b € Ip. Recall that B = M2(i^) if and only if every place 
w of -F is unramified in i?, i.e., if (a, &)„ — 1 for all places v of F . 

For fixed -F, we can in constant (deterministic) time compute the set of even 
places of F . We then compute the Hilbert symbol (a, 6)„ for v real easily and for v 
even by Algorithm 16.61 

For the odd places, we first apply Lemma 15.51 which implies that we need only 
check primes p | ahTLp. We then compute g — oLp + bl^p as well as g € g such 



that c = —ab/g^ is coprime to 6Zi?; then B = ( — ^ j , and for any prime p | 6Zi?, 



we have that p is ramified in B if and only if p | sqrad(6Zi?) and (c/p) = —1. 
We can test this latter condition for all p | feZj;- by calling the algorithm to solve 
(QuadraticResiduosity). We then repeat this step with a, 6 interchanged, and we 
return true if and only if both of these quadratic residuosity tests return true. □ 

When F = Q, in fact these problems are equivalent. 

Theorem 8.2. Problem (IsMatrixRing) ouerQ is probablistic polynomial-time equiv- 
alent to Problem (QuadraticResiduosity) over Q. 

Remark 8.3. Ronyai |27l [29] conditionally proves exactly Theorem 18.21 (under the 
assumption of the Generalized Riemann Hypothesis) . 





Before proving this theorem, we derive one preliminary result. 
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Lemma 8.4. Let a, & G Z>o be such that b is odd and (a/b) = 1. Let £ be an odd 
prime such that £b G (Z/aZ)''^ and = 1. Then {-^^-^ - M2(Q) if and only 
if a is a square modulo sqrad(&). 

Proof. Again, we have ( -tt- ) — M2{F) if and only if {a,£b)y — 1 for all places v 



of Q. Since a > 0, we know {a,£b)oo = 1- By hypothesis, for aU odd p | a we have 
{£b/p) = 1 hence {a,£b)p = 1, and similarly {a,£b)e = 1. Moreover, since (a/b) = 1, 
the number of primes p \ sqrad(6) such that (a/p) = — 1 must be even, and since the 

quaternion algebra ( ^-^] is ramified at an even number of places, we conclude 



that {a,£b)2 = 1. Therefore (^^j = M2{F) if and only if {a,£b)p = 1 for ah 
p I sqrad(6) if and only if a is a square modulo sqrad(6). □ 



The preceding lemma shows that the two problems in Theorem [83] can be linked 
by finding a suitable prime £. The conditions on £ are congruence conditions, so 
by the theorem on primes in arithmetic progression, such primes are abundant. 
Explicitly, we rely on a result from analytic number theory, a special case of a 
theorem due to Alford, Granville, and Pomerance [21. 

Lemma 8.5. There exist effectively computable (absolute) constants xo,D G R>o 
such that whenever x > xq, there is a set T>{x) of at most D integers for which 



^ logi 



£=b (mod q) 



< 



20(g) 



whenever q is not divisible by any element of T>{x), with 1 < g < x^/^ and 
gcA{b,q) = 1. Moreover, each element ofT>{x) exceeds log a;. 

Proof We take e = 1/2, 5 = 1/5, A = 5/2 > 12/5, and y = a; in the resuh of 
Alford, Granville, and Pomerance Theorem 2.1]; the fact that the constants are 
computable is discussed in the remark following their proof. □ 



Proof of Proposition 18.21 We must show that if we are able to solve (IsMatrixRing), 
then we can solve Problem (QuadraticResiduosity) in probabilistic polynomial time. 

Let X — max((46)^, a;o), with xq as in Lemma 18.51 Let c be a random integer 
with 1 < c < &. We compute q = ac^ (mod 4&) with 1 < q < 46 and g = 1 
(mod 4). Then q is a random element in [1,46] fl Z such that aq G (Z/6Z)'^^ and 
q = 1 (mod 4). 

Q = {l<q<b:aqe (Z/6Z)^^ q = 1 (mod 4)}. 

From Lemma is we have J2p<x, p=a (mod q) ^ogp < x/(2(/)(g)) only if q is di- 
visible by some element of the set T>{x), which contains most D elements each of 
size at most logx; thus the set of such q ^ Q has cardinality at most D^Q / log x. 
Using partial summation (a standard argument which can be found in Davenport 
[HI p. 112]), it follows that a random q £ Q has probability 1 — D/ \ogx of satisfying 

1 X 

7r(x; g, 6) = #{£ < x : p prime, £=b (mod q)} < ^r— r^^ 

20(g) logo; 



34 



JOHN VOIGHT 



whenever gcd(5, q) — 1. We then compute a random integer 1 < £ < x with £ = b 
(mod q) and test if £ is prime, which can be done in (deterministic) polynomial 
time [Tj. Combining these, in probabilistic polynomial time, we may assume that £ 
indeed is prime. 

We conclude by calling the algorithm to solve (IsMatrixRing) on B = 
We have 




since q=l (mod 4), and £b=l (mod q). So by Lemma 15?^ we have B = M2(Q) if 
and only if g is a square modulo sqrad(5), which holds only if a is a square modulo 
sqrad(6), as desired. □ 

We leave the natural generalization where Q is replaced by a number field F as 
an open question. 
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